Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Unblock EndPoint Client.

Created: 12 Dec 2010 • Updated: 14 Dec 2010 | 11 comments
This issue has been solved. See solution.

Hi,

 

I have created a firewall rule in Symantec Endpoint server to block all apps from getting Internet access except the ones I allow. I have put the allowed ones on top of the generic "Block All" rule. Seems to be working ok, but unfortunately it seems to have blocked the Endpoint client as well. How do I unblock the client?

I have allowed access to:

- SmcGui.exe

- Smc.exe

- SvcHost.exe

- Rundll32.exe

- SymCorp.exe

- ProtectionUtilSurrogate.exe

However, the little green light on the Symantec tray icon doesnt come back on. Which exe's am I missing?

Please advise.

Thanks!

Comments 11 CommentsJump to latest comment

.Brian's picture

SMC.exe should be unblocked however SEP should not require access to the Internet in order to connect to the SEPM so this may be a different issue.

Did you block port 8014?

Restart smc and see if the dot comes back to indicate connection to the SEPM

Start >> Run >> smc -stop

wait 15 seconds

Start >> Run>> smc -start

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Vikram Kumar-SAV to SEP's picture

Rtvscan.exe

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Pawel Lakomski's picture

>> Did you block port 8014?

This port should be unblocked on the SERVER, not the client. Did you apply the same policy to your server? If so, open 8014 on the server. The test will be easy: put in the browser address:

http://SEP_server_name:8014/reporting

and see what happens.

Does the issue disappear when you turn off NTP? (to be sure it is related to SEP)

I do not think it is Rtvscan.exe - it is scan engine process.

--

Cheers,

Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator

 

amita's picture

Hi,

I tried accessing the link the way you specified, with my server name. With the "Block All" rule enabled, I can open the link from the server itself, but NOT from another machine.

The other thing I noticed is that when I enabled the "Block All" rule, my server also lost the ability to connect to the Internet. I should mention that there is an SEP client installed on the server too.

Disbaling the "Block All" rule makes everything ok. The SEP clients can connect again and my server can access the Internet again.

So obviously I need to refine that "Block All" rule. Is there some process that must be allowed so that Internet access is allowed? Like in Norton Internet Security, the "System" process had to be unblocked in order for clients to access the Internet. How do I unblock "System" in SEP since its not an exe?

Also, how can I see precisely what is being blocked? We used to have Norton Internet Security before and that had a very nice prompt feature where we could see precisely which process was trying to access the Internet and allow it if we wanted. Any similar way to do that in SEP?

Your help is appreciated.

Thanks!

.Brian's picture

My apologies. Next time I will be more clear as to what I meant so incorrect assumptions are not made.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Vikram Kumar-SAV to SEP's picture

Well..Is it the firewall rule or the Application Control rule aswell?

Check the firewall logs to check what exactly is getting blocked and allow that..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

John_Prince's picture

SEP should have built in rules that prevent you from blocking the client. Even if you put a "Block All" rule at #1 SEP should still communicate.

Remote Product Specialist, Business Critical Services, Symantec

amita's picture

Hi,

It doesnt seem to work though. Please see my reply to Pawel above. Disbaling the "Block All" rule allows the clients to communicate and the server to access the Internet again.

I should mention both the server and the clients are 64-bit. Windows  Server 2008 R2 and Windows 7.

Thanks.

Vikram Kumar-SAV to SEP's picture

By the Block All Rule are you only blocking executables to connect to Internet or is it the default block all rule that blocks All IPs,Ports and Protocols ?

If its default then you need to allow The SEPM server IP and port 8014.

 

Check the traffic logs from SEP GUI--View Logs-Network Threat Protection--View Log--Traffic Log 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

SOLUTION
amita's picture

Hi, the traffic log is completely blank?? I go back as far as a week and it looks like no entries were recorded at all.

Edit: Ah, I see that each rule has a logging component. I have enabled the logging on that rule, and now data is flowing in.

And yes, I am using the default block all rule. Hopefully the traffic log will let me know which exe's to modify.

Thanks for the help so far. Really appreciated.

amita's picture

It looks like I needed to unblock ntoskrnl.exe and dns.exe on the server. Looks like that solved the problem. Thanks again everyone!